/testing/guestbin/swan-prep
road #
 echo 3 > /proc/sys/net/core/xfrm_acq_expires
road #
 # install selinux; generated in OUTPUT by east
road #
 semodule -i OUTPUT/ipsecspd.pp
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 ipsec auto --add labeled
002 "labeled": added IKEv2 connection
road #
 echo "initdone"
initdone
road #
 # for port re-use in tests with protoport selectors
road #
 echo 1 >/proc/sys/net/ipv4/tcp_tw_reuse
road #
 # route; should be two policies
road #
 ipsec auto --route labeled
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
XFRM policy:
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir fwd priority 2080718 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority 2080718 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.219/32 dst 192.0.2.0/24
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority 2080718 ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.0.2.0/24 via 192.1.3.254 dev eth0 src 192.0.2.219
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 # trigger traffic
road #
 echo "quit" | runcon -t netutils_t timeout 15 nc  -p 4301 -vvv 192.0.2.254 4300 2>&1 | sed "s/received in .*$/received .../"
Ncat: Version 7.80 ( https://nmap.org/ncat )
NCAT DEBUG: Using system default trusted CA certificates and those in PATH/share/ncat/ca-bundle.crt.
NCAT DEBUG: Unable to load trusted CA certificates from PATH/share/ncat/ca-bundle.crt: error:02001002:system library:fopen:No such file or directory
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 192.0.2.254:4300 (IOD #1) EID 8
libnsock mksock_bind_addr(): Binding to 0.0.0.0:4301 (IOD #1)
libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.0.2.254:4300]
Ncat: Connected to 192.0.2.254:4300.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #2)
libnsock nsock_read(): Read request from IOD #1 [192.0.2.254:4300] (timeout: -1ms) EID 18
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 26
libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [peer unspecified] (5 bytes): quit.
libnsock nsock_write(): Write request for 5 bytes to IOD #1 EID 35 [192.0.2.254:4300]
libnsock nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.0.2.254:4300]
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 42
libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 42 [peer unspecified]
libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 18 [192.0.2.254:4300]
Ncat: 5 bytes sent, 0 bytes received ...
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #1)
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #2)
road #
 # there should be 2 tunnels - both inactive in one direction
road #
 ipsec trafficstatus
006 #2: "labeled"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=273, id='@east'
006 #3: "labeled"[2] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=164, outBytes=0, id='@east'
road #
 # there should be no bare shunts
road #
 ipsec shuntstatus
000 Bare Shunt list:
000  
road #
 # let larval state expire
road #
 ../../guestbin/wait-for.sh --no-match ' spi 0x00000000 ' -- ip xfrm state
road #
 echo done
done
road #
 # There should be FOUR IPsec SA states (two sets), all with same
road #
 # reqid. And there should be one set of tunnel policies using the
road #
 # configured ipsec_spd_t label, and no outgoing %trap policy
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
XFRM policy:
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir fwd priority 2080718 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority 2080718 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.219/32 dst 192.0.2.0/24
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority 2080718 ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.0.2.0/24 via 192.1.3.254 dev eth0 src 192.0.2.219
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 # The IKE SA should be associated with the template connection
road #
 ipsec status |grep STATE_
000 #1: "labeled":500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in XXs; newest ISAKMP; idle;
000 #2: "labeled"[1] 192.1.2.23:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in XXs; newest IPSEC; isakmp#1; idle;
000 #3: "labeled"[2] 192.1.2.23:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in XXs; newest IPSEC; isakmp#1; idle;
road #
 
